From d042972b00628310f2bba67dc04d9b317f0b339d Mon Sep 17 00:00:00 2001 From: Paul Ebermann Date: Thu, 1 Nov 2018 18:46:17 +0100 Subject: [PATCH] Fix Jackson vulnerability. This was triggered by an alert from Github: https://github.com/zalando-nakadi/nakadi-producer-spring-boot-starter/network/alert/nakadi-producer/pom.xml/com.fasterxml.jackson.core:jackson-databind/open (As I'm not sure how useful this URL will be after I resolve the alert, here the gist of its content + my interpretation.) com.fasterxml.jackson.core:jackson-databind was at version 2.8.8, which is affected by a bunch of remote code execution vulnerabilities: - CVE-2017-17485 - CVE-2018-7489 - CVE-2017-7525 Versions from 2.8.11 or higher are not affected. As the dependency version suggested by our parent pom (spring-boot-starter-parent) is 2.9.6, we can just remove the version number here. (I don't think the use of Jackson in this library is vulnerable, as we are not parsing, only creating JSON, but it is better to not carry broken dependency versions into any application.) While doing this, I also removed some other version numbers in our pom.xml which have the same or newer versions in the parent. --- nakadi-producer/pom.xml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/nakadi-producer/pom.xml b/nakadi-producer/pom.xml index 929f1faf..a257b3c0 100644 --- a/nakadi-producer/pom.xml +++ b/nakadi-producer/pom.xml @@ -33,12 +33,10 @@ com.fasterxml.jackson.core jackson-databind - 2.8.8 org.slf4j slf4j-api - 1.7.25 org.zalando @@ -70,13 +68,11 @@ org.mockito mockito-core - 2.8.9 test junit junit - 4.12 test @@ -105,7 +101,6 @@ org.apache.maven.plugins maven-source-plugin - 2.2.1 attach-sources @@ -118,7 +113,6 @@ org.apache.maven.plugins maven-javadoc-plugin - 2.9.1 -Xdoclint:none